CVE-2026-45218 - WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability
CVE ID :CVE-2026-45218
Published : May 12, 2026, 11:16 a.m. | 3 hours, 27 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45218
Published : May 12, 2026, 11:16 a.m. | 3 hours, 27 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4827 - Insufficient Entropy vulnerability on Multiple Products
CVE ID :CVE-2026-4827
Published : May 12, 2026, 1:17 p.m. | 1 hour, 26 minutes ago
Description :CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-4827
Published : May 12, 2026, 1:17 p.m. | 1 hour, 26 minutes ago
Description :CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12659 - Heap-based buffer overflow in Siemens Simcenter Femap
CVE ID :CVE-2025-12659
Published : May 12, 2026, 2:16 p.m. | 27 minutes ago
Description :The affected applications contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27349, ZDI-CAN-27389)
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2025-12659
Published : May 12, 2026, 2:16 p.m. | 27 minutes ago
Description :The affected applications contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27349, ZDI-CAN-27389)
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27851 - Apache Struts Unvalidated User Input Injection
CVE ID :CVE-2026-27851
Published : May 12, 2026, 2:16 p.m. | 27 minutes ago
Description :When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-27851
Published : May 12, 2026, 2:16 p.m. | 27 minutes ago
Description :When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-33603 - Dovecot SCRAM TLS Channel Binding Man-in-the-Middle Vulnerability
CVE ID :CVE-2026-33603
Published : May 12, 2026, 2:17 p.m. | 27 minutes ago
Description :Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-33603
Published : May 12, 2026, 2:17 p.m. | 27 minutes ago
Description :Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-35071 - Dell PowerScale InsightIQ OS Command Injection
CVE ID :CVE-2026-35071
Published : May 12, 2026, 2:17 p.m. | 27 minutes ago
Description :Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-35071
Published : May 12, 2026, 2:17 p.m. | 27 minutes ago
Description :Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40016 - Exim ManageSieve CPU Time Limit Bypass Vulnerability
CVE ID :CVE-2026-40016
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40016
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40020 - Dovecot IMAP SETACL Command Injection Vulnerability
CVE ID :CVE-2026-40020
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40020
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40638 - Dell PowerScale InsightIQ Execution of Code with Unnecessary Privileges
CVE ID :CVE-2026-40638
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Dell PowerScale InsightIQ, versions 5.0.0 through 6.2.0, contains an execution with unnecessary privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40638
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Dell PowerScale InsightIQ, versions 5.0.0 through 6.2.0, contains an execution with unnecessary privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42006 - Proxmox IMAP Memory Consumption Vulnerability (Arbitrary Bracing)
CVE ID :CVE-2026-42006
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42006
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-43916 - pam_authnft: Heap buffer overflow in NETLINK_SOCK_DIAG reply walker
CVE ID :CVE-2026-43916
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:134, prior to the fix) allowed a crafted NETLINK_SOCK_DIAG reply to slip past the message-size check, then dereference past the end of the allocation. This vulnerability is fixed in 0.2.0-alpha.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-43916
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:134, prior to the fix) allowed a crafted NETLINK_SOCK_DIAG reply to slip past the message-size check, then dereference past the end of the allocation. This vulnerability is fixed in 0.2.0-alpha.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-43930 - Parse Server: MFA SMS one-time password accepted twice under concurrent login
CVE ID :CVE-2026-43930
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-43930
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45091 - sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
CVE ID :CVE-2026-45091
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45091
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6865 - Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products
CVE ID :CVE-2026-6865
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6865
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8388 - Incorrect boundary conditions in the JavaScript Engine: JIT component
CVE ID :CVE-2026-8388
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8388
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8389 - JIT miscompilation in the JavaScript Engine: JIT component
CVE ID :CVE-2026-8389
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8389
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8390 - Use-after-free in the JavaScript: WebAssembly component
CVE ID :CVE-2026-8390
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8390
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8391 - Other issue in the JavaScript Engine component
CVE ID :CVE-2026-8391
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8391
Published : May 12, 2026, 2:17 p.m. | 26 minutes ago
Description :Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42825 - Windows Telephony Service Elevation of Privilege Vulnerability
CVE ID :CVE-2026-42825
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42825
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42830 - Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability
CVE ID :CVE-2026-42830
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42830
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42831 - Microsoft Office Remote Code Execution Vulnerability
CVE ID :CVE-2026-42831
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42831
Published : May 12, 2026, 6:17 p.m. | 26 minutes ago
Description :Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...